CVE-2025-9310 is a medium-severity vulnerability affecting the yeqifu carRental software, specifically up to the commit identified as 3fabb7eae93d209426638863980301d6f99866b3. The vulnerability resides in an unknown functionality within the file /carRental_war/druid/login.html, part of the Druid component integrated into the product. The core issue is the presence of hard-coded credentials, which can be exploited remotely without requiring any authentication or user interaction. This means an attacker can directly access the system using these embedded credentials, potentially bypassing normal security controls. The product follows a rolling release model, so there are no fixed version numbers for affected or patched releases, complicating patch management. The CVSS 4.0 base score is 6.9, reflecting a medium severity level primarily due to the ease of remote exploitation (attack vector: network), no required privileges or user interaction, and limited impact on confidentiality (VC:L) but no impact on integrity or availability. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation by threat actors. The lack of patch links indicates that no official fix has been released yet, so organizations using yeqifu carRental should consider this vulnerability a significant risk until mitigated. Hard-coded credentials are a critical security anti-pattern because they can be extracted by attackers, leading to unauthorized access and potential lateral movement within networks.

For European organizations using yeqifu carRental software, this vulnerability poses a tangible risk of unauthorized remote access. Attackers exploiting hard-coded credentials can gain entry to the affected system without any authentication barriers, potentially exposing sensitive customer data, rental records, or internal management functions. This could lead to data breaches, privacy violations under GDPR, and operational disruptions. Since the vulnerability does not affect integrity or availability directly, the primary concern is confidentiality compromise. However, unauthorized access could be leveraged to escalate privileges or deploy further attacks, increasing overall risk. The rolling release nature of the product complicates timely patching, increasing exposure duration. European companies in the car rental, fleet management, or transportation sectors that rely on yeqifu carRental for operational management are particularly vulnerable. Additionally, regulatory scrutiny in Europe regarding data protection means exploitation could result in significant legal and financial consequences.

1. Immediate mitigation should include identifying all instances of yeqifu carRental in the environment and restricting network access to the affected /carRental_war/druid/login.html endpoint using firewalls or web application firewalls (WAFs) to limit exposure. 2. Conduct thorough code audits or configuration reviews to detect and remove hard-coded credentials from the application codebase. 3. Implement environment-based credential management, such as using secure vaults or environment variables, to replace hard-coded secrets. 4. Monitor network traffic and logs for suspicious access attempts to the vulnerable component. 5. Engage with the vendor or community to obtain patches or updates as soon as they become available, and apply them promptly. 6. If patching is delayed, consider isolating the affected systems on segmented networks to reduce attack surface. 7. Educate development teams on secure coding practices to prevent recurrence of hard-coded credentials. 8. Perform penetration testing focused on authentication bypass and credential extraction to validate mitigations.